What You Need to Know About Cyber Security Penetration Testing for Your Law Firm
For any SME or large company, it is all too easy to be lulled into a false sense of cyber security. You may have a dedicated cyber team in place, a clear and well-communicated cyber strategy, and policies and procedures in place to protect your business. But unless you are pen testing a) continually and b) at each level of technological vulnerability, you really can’t be sure that you are safe.
Rather like a burglar who will ignore homes with security and look for those with open windows, or unlocked doors, cyber criminals will take advantage of the smallest of vulnerability to steal or cause damage to your business.
In this article, we will explain why penetration testing (‘pen testing’) must be an ongoing process, the types of testing involved, how you can be sure you have enough pen testing in place, and how you can implement the resources and skills needed. Thankfully, according to cyber specialists, Lares, the vast majority (~95%) of pen testing issues can be resolved with straightforward fixes; and you can be sure, those are the vulnerabilities which most cyber criminals will leverage. As such, there is really no excuse for not doing so.
What are the levels of pen testing you need to consider?
When many think of pen testing, they tend to only consider attacks from the outside of your network, whether in another town, city, or country. In practice, there are many other facets of business technology which could be vulnerable to attack.
External network testing
External network testing is designed to ensure that anyone external to your external network/firewall is unable to carry out malicious acts by exploiting gaps in your defences. For example, attempting to see if a virus or other malicious code can breach your defences, or seeing what would happen in an attempted Distributed Denial of Service attack (DDoS) whereby an attacker will attempt to overwhelm your network with so much network traffic that your systems cannot respond to legitimate requests.
Internal network testing
Often overlooked is the need to test internal network vulnerabilities from anyone who has been able to get past your organisation’s external network defences – physically or virtually. This may be through a remote VPN connection, a disgruntled employee, or a criminal acting as an employee or contractor who has gained trusted network privileges.
Increasingly, internal networks are being breached by criminals using wi-fi. They achieve this by physically locating themselves close to an office location and then taking advantage of known vulnerabilities in protocols such as the WPA standard to ‘listen’ into network activity.
A new phenomenon is also causing considerable challenges for pen testers, that of ‘Warshipping’. In this scenario, cyber criminals will send a small electronic device (actually a small battery-powered wi-fi enabled computer with a 3G modem attached) in a parcel to a member of staff in a business. The device will ‘sniff’ a company’s network for wireless access points and other data worth stealing. These devices can then be used to gain a ‘foothold’ on internal network traffic, or even be used as a separate network which employees may be enticed to connect to. Given the easy availability of such technology, it is easy to see how attacks of this nature may become commonplace. This also illustrates precisely why pen-testing must be a rolling process; as new methods of attack are constantly being uncovered.
Web application testing
Social engineering testing
The final and often overlooked aspect of pen testing is in the area of social engineering. While you may have all of the technology necessary to protect your organisation, if a member of staff can be unwittingly duped into revealing sensitive corporate information, your business is exposed. Social engineering pen testing aims to test the compliance of your staff with existing rules, policies, and procedures intended to prevent such an occurrence. In doing so, a pen tester may deliberately target a member of staff to see how susceptible your law firm is to a social engineering attack.
It is important, however, to ensure that any pen testing which involves people, as opposed to systems, is done in way which doesn’t cast blame or compromise their role in any way. This is not the intention of this exercise and can have unintended implications. While this is a necessary test, it should not come at the cost of undermining confidence in the organisation or its management.
Pen testing is a vital exercise for all law firms, ensuring that its investment in cyber security is borne out by the ability to prevent real-life attempted attacks. By tacking pen-testing at all levels of vulnerability, your law firm will be ahead of many others who have yet to implement such processes. Lack of skills and resources should not be a barrier to pen-testing. You may opt to employ specialist in-house for this exercise or contract a third-party managed service security provider (MSSP) to do this for you. And there is also the possibility of a hybrid approach whereby an inhouse team use third-party cloud-based tools – thus avoiding the need to install, maintain and manage cyber security testing platforms in-house; which for smaller organisations will save considerable time and help manage costs. Whichever approach you need to take, now is the time to review your firm’s approach to pen testing, before it is too late.